Tuesday, February 04, 2020

The App That Disrupted the Iowa Caucuses
A cascading set of failures led us here.

by Cari Hernandez Published on Tuesday, February 04, 2020 by Medium
The IDP intended the app to be used the primary method of gathering and transmitting results, but apparently failed to impress this upon the people actually working with the app. (Photo: Alex Wong/Getty Images)
The IDP intended the app to be used the primary method of gathering and transmitting results, but apparently failed to impress this upon the people actually working with the app. (Photo: Alex Wong/Getty Images)
Last night, we watched as the Iowa caucuses slowly unfolded and ultimately collapsed in real-time. Today, my little corner of the internet is abuzz with righteous anger and, in some cases, conspiracy theories. One thing is certain: we are all shocked at the sheer incompetence displayed by the Iowa Democratic Party and all those involved in the development of the app that was supposed to simplify and expedite the process.

According to a New York Times report, the app had only been under consideration for state-wide use for a couple of months. As more stories come out, a picture starts to form showing that a series of decisions and mistakes were made that led us here. By all accounts, it seems that users were unclear as to the app’s purpose. The IDP intended the app to be used the primary method of gathering and transmitting results, but apparently failed to impress this upon the people actually working with the app.

Many users did not even get to the point of attempting to use the app, in part because of requirements related to the installation process that would cause the average use to skip using an app, especially if they believe they don’t have to. The average user is not going to bypass their phone’s permissions and sideload an app that they believe is simply a backup method to what they’re putting on paper and calling in. 

Unsurprisingly, users were also not required to be trained on the app before the caucuses, and based on the information currently available it appears no significant end-user testing was performed. One indication of the failure to communicate basic information about the app is people like Pete Buttigieg’s comms director tweeting out pictures that contained PIN numbers that would allow one to access the app if they were able to get it on their phone.

Once it became clear the app was not working, users turned to the usual method of calling in their results. Troy Price, the chairman of the state party previously stated that there would be multiple redundancies in place and that he was “confident” in their contingency planning. 

What we actually saw was an abject failure of planning. This backup method was an embarrassment. One precinct secretary was on hold with the party’s hotline for over an hour, and then had his call disconnected by the person on the other end live on CNN

Des Moines County Democratic Chair Tom Courtney described similar scenes across his county, where caucus organizers attempted to call in their results to no avail. It seems they were unprepared for the amount of calls they were swamped with after the app’s failure.

As another backup method, this was the first time Iowa instituted a paper trail, paper ballots were to be returned to the caucus chair in order to be eligible to be counted in the event of a recount. But it appears that some caucus chairs were not even aware that the paper ballots would be returned to them, again likely in part due to a failure in training.

It’s tempting to blame a general reliance on tech or jump to conspiracy theories, and in this case it’s somewhat understandable. According to FEC filings, the Biden and Buttigieg 2020 campaigns have both paid the company who made the app, Shadow Inc., though it’s unclear for what. It’s also emerged that many of the people involved in the app’s development were previous Hillary for America employees in various technology roles. Screenshots of the employee’s LinkedIn profiles began circulating on twitter not long after it became clear that something was amiss.

But I think there is a simpler explanation here. Anyone who has worked at a badly managed software company or on a poorly run team on a tight deadline is very familiar with this situation. Based on the employment histories of those involved, it appears the revolving door between campaigns and the private sector, as well as the symbiotic relationships between former campaign workers and their professional political network is likely to blame. It’s not difficult to imagine technologists failing up through campaigns and using their connections to be awarded these contracts once they enter the private sector, leading to a situation where no one involved in the decision making process has worked at this scale.

What you get from this is a group of people who have no idea what they are doing, being responsible for the integrity of our electoral process. From the actions of those who decided Shadow Inc. was the right company for this job, to those along every step of the way who neglected basic development practices, a cascading set of failures led us here. This is not only a failure in the planning, development, testing, and deployment of this app, but in the creation of backup methods, to the point where the electoral process is compromised. To me this doesn’t seem necessarily or purposely malicious, it seems more like incompetence and negligence.

This morning, the Iowa Democratic Party released a statement stating that their data is sound and confirming that there were no cyber security issues. It seems that while most people were focused on the looming threat of Russian election interference, much more common and less nefarious villains entered the scene: executives, product managers, developers, and party officials who did not know what they were doing. The statement conveniently does not mention that their data is incomplete, due to all the issues mentioned above.

The statement goes on to describe the issue in this way: “We have determined that this was due to a coding issue in the reporting system. This issue was identified and fixed. The application’s reporting issue did not impact the ability of precinct chairs to report data accurately.”

A lot of what we’re thinking around this situation is speculative due to the amount of information that’s available to us. But there are many questions to be asked. Who decided Shadow Inc. was capable of designing and deploying this application? What were the Biden and Buttigieg campaigns paying for when they sent thousands of dollars to Shadow Inc.? Who decided it wasn’t necessary to train the users, or to even relay to the users of the purpose of the app? Who was responsible for failure of the backup methods? Are we to believe that the issue that was identified and fixed was deployed last night, and that users again went through the process of sideloading an updated version of the app? As we go into the Nevada caucuses where the app will also be used, should we trust the people responsible for all these issues to be competent enough to fix them in time?

We deserve answers. Personally, I don’t feel confident that every process failure that we’ve seen here can be corrected in the short amount of time before Nevada. Ideally, external auditors would get involved to figure out and document what happened and give us the answers we need. We can’t settle for depending on the people who got us into this mess. If they won’t give us the transparency we deserve, we must demand it.
Update: Although initial reports indicated the same app would be used in Nevada, the Nevada Democratic Party has since released a statement vowing not to use it.
Cari Hernandez
Cari Hernandez is an engineer and socialist feminist based in Philadelphia. Follow her on Twitter @eatinginmycar.



Iowa caucus debacle is one of the most stunning tech failures ever

PUBLISHED TUE, FEB 4 2020 Kate Fazzini@KATEFAZZINI

KEY POINTS

The Iowa caucus debacle represents one of the most stunning failures of information security ever.

It was delivered by the very officials who have said for four years they were “ramping up” technology capabilities, convening numerous security task forces and collaborating with federal agencies to make sure everyone was in the loop on voting security.

Voters will be paying close attention to how party leaders ensure that votes going forward have clear contingency plans in place, not just to protect against hackers, but from all types of technology failures.



WATCH NOW VIDEO
Here’s what happened at the Iowa caucuses, and what the candidates have to say

The Iowa caucus debacle represents one of the most stunning failures of information security ever.
This failure was delivered by the same Iowa Democratic Party officials who have said for the last four years they were “ramping up” their technology capabilities, convening seemingly endless security task forces to ensure foreign powers did not disenfranchise voters, and collaborating with federal agencies like the Department of Homeland Security to make sure everyone was in the loop on voting security.

Voters will be paying close attention to how party leaders ensure that votes going forward have clear contingency plans in place, not just to protect against hackers, but from all types of technology failures, including applications that might not work.

What happened?

Iowa officials counting the results coming in Monday from the caucusing app reported irregularities that required them to switch from the app to counting votes manually. Party officials said the “underlying data” put into the app was fine, but it is unclear as of yet how they know this or even what they consider “underlying data.”

“Last night, more than 1,600 precinct caucuses gathered across the state of Iowa and at satellite caucuses around the world,” the Iowa Democratic Party said in a statement Tuesday. “As precinct caucus results started coming in, the IDP ran them through an accuracy and quality check. It became clear that there were inconsistencies with the reports. The underlying cause of these inconsistencies was not immediately clear, and required investigation, which took time.”

Read more: Nevada Democrats say they won’t use the app involved in Iowa caucus

The Iowa Democrats were using an application made by a partisan progressive start-up named Shadow Inc., managed by a nonprofit investment company called Acronym. In a statement, Acronym distanced itself from Shadow.
“We are reading confirmed reports of Shadow’s work with the Iowa Democratic Party on Twitter and we, like everyone else, are eagerly awaiting more information ... with respect to what happened,” Acronym said in a statement.

Iowa Democrats explained that backup measures for the Shadow app took “longer than expected.”

“We have determined that this was due to a coding issue in the reporting system. This issue was identified and fixed. The application’s reporting issue did not impact the ability of precinct chairs to report data accurately,” the Iowa Democratic Party statement said. Voters will surely be asking the Iowa Democrats to prove how they know the information is accurate with so many reported irregularities.

Shadow apologized on Twitter Tuesday afternoon. “We sincerely regret the delay in the reporting of the results of last night’s Iowa caucuses and the uncertainty it has caused to the candidates, their campaigns, and Democratic caucus-goers.”
Why did it happen?

The Iowa Democrats and Democratic National Committee will have to answer several puzzling questions about why they chose to use the application in the first place.

First, in 2016, the Iowa caucuses used an application made by Microsoft, which worked. It’s unclear why they didn’t keep the same application, created by an established company instead of one from an untested start-up.

Microsoft is making sure people know it didn’t make this year’s app. “We had a great partnership with the Iowa political parties in 2016, but we are not part of the caucuses this year and have not been involved in building or supporting their app,” a company spokesperson tweeted.

Second, in August, the Democratic National Committee recommended Iowa stop using an app altogether. The Democratic National Committee’s Rules and Bylaws Committee voted to follow those recommendations. It said a security review had determined the virtual caucus did not meet standards for cybersecurity and reliability.
“We are — over the last week and continuing today and in the days ahead — continuing to look at what options might be available to us given the time frame that’s left,” Iowa Democratic Party Chairman Troy Price said in September, according to NPR. “We know there’s not a lot of time left. There’s 4.5 months between now and when Iowans head to the caucus sites.”

DHS acting Secretary Chad Wolf told Fox News on Tuesday that the app “was not vetted for cybersecurity.”

Now, Iowa is scrambling for answers.

Cybersec vs. Infosec: Why it matters here

Iowans are learning about the important distinction today between cybersecurity and information security.

Loosely speaking: In cybersecurity, organizations work to defend against hackers. In the broader field of information security, organizations work to be able to recover quickly whether they have been hit by a cyberattack, someone tripped over a cord in a data center or a server farm gets knocked out by a hurricane. Cybersecurity falls into the bigger bucket of infosec and resiliency planning.

In this case, it appears as though cybersecurity wasn’t the issue, but the proper back-up planning, testing and vetting procedures were completely deficient or simply absent entirely. They had an app that they knew was problematic. They used it anyway without properly testing their back-up plans, each stage of which have proved to take longer than usual.

Preparing for the inevitably of a cyberattack meant the Iowa Democrats, Democratic National Committee and DHS should all have been ready to bounce back from a problem like this. The fact that they still haven’t recovered is likely to be more disheartening to voters than any malicious Twitter campaign or fake Facebook ad or Russian phishing bid.

All of these organizations owe it to the electorate to never let something like this happen again. Because if they can’t recover from a bad app, a hack or a hurricane could be far more devastating.

Image result for the shadow"


SEE 

NEW DETAILS SHOW HOW DEEPLY IOWA CAUCUS APP DEVELOPER WAS EMBEDDED IN DEMOCRATIC ESTABLISHMENT

Top Hollywood celebrities and Silicon Valley investors are linked to the app that failed in Iowa

After Epic 'Nightmare' in Iowa, Democratic App Built by Secretive Firm Shadow Inc. Comes Under Scrutiny "This outfit is inexcusably secretive." 

Iowa Caucus Night Is an Utter Disaster

---30---

No comments: